When managing a VPN server with numerous clients, the manual process of generating certificates through easy-rsa's build-key becomes tedious. Each invocation requires multiple user interactions:
./build-key client1
[Multiple ENTER presses]
y
y
The build-key script inherits defaults from the vars file but still requires manual confirmation at each step. While the defaults are correct, the interactive nature slows down bulk operations.
Method 1: Using expect Script
The most robust solution is to use expect to automate the interaction:
#!/usr/bin/expect -f
set client_name [lindex $argv 0]
spawn ./build-key $client_name
expect "Country Name (2 letter code) $$US$$:"
send "\r"
expect "State or Province Name (full name) $$CO$$:"
send "\r"
# ... repeat for all prompts ...
expect "Sign the certificate? $$y/n$$:"
send "y\r"
expect "1 out of 1 certificate requests certified, commit? $$y/n$$"
send "y\r"
expect eof
Method 2: Build-Key Batch Wrapper
Create a wrapper script that modifies openssl.cnf to be non-interactive:
#!/bin/bash
CLIENT_NAME=$1
export OPENSSL_CONFIG=/path/to/modified/openssl.cnf
./build-key --batch $CLIENT_NAME
Method 3: Direct openssl Commands
For ultimate control, bypass build-key and use openssl directly:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-keyout ${CLIENT}.key -out ${CLIENT}.crt \
-subj "/C=US/ST=CO/L=Denver/O=mycompany/CN=${CLIENT}/emailAddress=it@mycompany.com"
- Always validate certificate parameters before automated generation
- Implement proper file naming conventions for batch operations
- Consider certificate revocation list (CRL) management in your automation
- Add logging to track automated certificate generation
While automation improves efficiency, ensure you:
- Protect your CA private key
- Implement proper access controls for certificate generation
- Maintain audit logs of all certificate creation
When managing a VPN server with numerous clients, the manual certificate generation process becomes tedious. The standard ./build-key workflow in Easy-RSA requires multiple user interactions:
# Typical manual workflow example
./build-key client1
[Press ENTER 8 times]
y
ENTER
y
ENTER
The build-key script is essentially a wrapper around OpenSSL commands. When we examine the Easy-RSA implementation, we see it's processing:
- Private key generation
- Certificate signing request (CSR)
- Certificate signing with the CA
- Database updates
Here are three effective approaches to automate this process:
Method 1: Using expect Script
#!/usr/bin/expect -f
set clientname [lindex $argv 0]
spawn ./build-key $clientname
expect "Country Name (2 letter code) $$US$$:"
send "\r"
expect "State or Province Name (full name) $$CO$$:"
send "\r"
# ... continue through all prompts ...
expect "Sign the certificate? $$y/n$$:"
send "y\r"
expect "1 out of 1 certificate requests certified, commit? $$y/n$$"
send "y\r"
expect eof
Method 2: Modified build-key Script
Create a custom version of build-key with automatic responses:
#!/bin/bash
CLIENT=$1
# Generate key and CSR automatically
openssl req -nodes -new -newkey rsa:2048 -keyout "$CLIENT.key" -out "$CLIENT.csr" -subj "/C=US/ST=CO/L=Denver/O=mycompany/CN=$CLIENT/emailAddress=it@mycompany.com"
# Sign the certificate automatically
openssl ca -batch -config openssl.cnf -policy policy_anything -out "$CLIENT.crt" -infiles "$CLIENT.csr"
Method 3: Batch Processing with a Loop
Combine the automation method with batch processing:
#!/bin/bash
for CLIENT in client{1..50}; do
./build-key-auto "$CLIENT"
done
When automating certificate generation:
- Ensure proper key and file permissions (0400 for private keys)
- Implement a revocation process for compromised certificates
- Consider using separate CAs for different security domains
- Implement proper certificate expiration policies
For large-scale deployments, consider:
- Using
build-key-serverfor server certificates - Implementing a PKI management system
- Exploring OpenVPN's REST API for certificate management
After automation, verify certificates with:
openssl verify -CAfile ca.crt client1.crt
openssl x509 -in client1.crt -text -noout